b"                        Department of the Interior\n                       Office of Inspector General\n\n\n\n\n                        Audit Report\n\n                Department of the Interior\n                Internal Control Program\n\n\n\n\nReport No. C-IN-MOA-0002-2006            August 2007\n\x0c\x0c\x0c                                EXECUTIVE SUMMARY\n                                 WHAT WE FOUND\n     WHY WE DID\n     THIS AUDIT                  The Department of the Interior (DOI) had not established an\n                                 effective program to ensure adequate internal controls over\nWe performed this audit to       the effectiveness and efficiency of its operations. Although\ndetermine whether DOI            the Office of Financial Management (PFM) developed\nestablished an effective         detailed policies and procedures for implementing DOI\xe2\x80\x99s\ninternal control program         internal control program, it had not provided effective\nfor ensuring the                 program management and oversight to ensure that bureaus\neffectiveness and efficiency\n                                 were complying with the guidance. For example, we found\nof its operations in\ncompliance with Office of        that bureaus we reviewed did not adequately:\nManagement and Budget\n(OMB) Circular A-123,                   plan and prioritize internal control reviews,\n\xe2\x80\x9cManagement\xe2\x80\x99s\nResponsibility for Internal             conduct and document reviews to identify deficiencies\nControl.\xe2\x80\x9d                               and develop corrective action plans,\n\nOMB revised Circular A-                 track implementation of corrective actions identified\n123 in December 2004 to                 from management-conducted reviews, and\nstrengthen and improve\naccountability for federal\n                                        prepare accurate listings reviews to support DOI\xe2\x80\x99s\nagencies in light of the new\nrequirements for publicly               annual assurance statement.\ntraded companies\ncontained in the Sarbanes-       These weaknesses in the oversight of the internal control\nOxley Act of 2002.               program increase the risk that DOI\xe2\x80\x99s internal controls cannot\n                                 ensure 1) programs achieve their intended results; 2) funds are\nBecause DOI was in the           used consistent with DOI\xe2\x80\x99s mission; and 3) resources are\nprocess of implementing          protected from waste, fraud, and mismanagement. We also\nthe new requirements, we         concluded that DOI\xe2\x80\x99s internal control program did not ensure\nlimited our audit to existing    that bureaus\xe2\x80\x99 annual assurance statements on internal control\nrequirements that were\n                                 were reliable. Therefore, these bureau level assurances may\ncarried forward into the\nrevised Circular. We\n                                 not have provided adequate support for the Secretary\xe2\x80\x99s\ntherefore excluded               certification of DOI\xe2\x80\x99s annual statement of assurance.\nrequirements contained in\nAppendix A of the new            OMB Circular A-123, \xe2\x80\x9cManagement\xe2\x80\x99s Responsibility for\nCircular that relate to          Internal Control,\xe2\x80\x9d identifies the three objectives of internal\nfinancial reporting.             control to be 1) the effectiveness and efficiency of program\n                                 operations, 2) reliability of financial reporting, and 3)\nOur audit focused on the         compliance with laws and regulations. Our conclusions are\ninternal control programs        limited to the internal control program as it relates to the\nat the Bureau of Indian          effectiveness and efficiency of operations and compliance\nAffairs, the Bureau of\n                                 with related laws and regulations. Controls over the reliability\nLand Management, the\nBureau of Reclamation,\n                                 of financial reporting and compliance with related laws and\nand the National Park            regulations are tested by KPMG LLP as part of DOI\xe2\x80\x99s annual\nService.                         financial statement audits.\n\n\n                                                i\n\x0cDuring its FY2006 audit, KPMG LLP reported similar conclusions regarding DOI\xe2\x80\x99s\ninternal control program as it relates to financial reporting. KPMG LLP identified DOI\xe2\x80\x99s\ncontrol assessment and assurance statement process as a \xe2\x80\x9creportable condition,\xe2\x80\x9d or a\ndeficiency that could adversely affect DOI\xe2\x80\x99s ability to record, process, summarize, and\nreport financial data. Specifically, KPMG LLP concluded that while DOI established an\neffective plan to assess, document, test and report on internal controls over financial\nreporting, certain DOI components did not fully execute the plan. Despite this reportable\ncondition, KPMG LLP was able to conduct sufficient procedures to express an opinion\nthat DOI\xe2\x80\x99s FY2006 financial statements were presented fairly, in all material respects, in\nconformity with U.S. generally accepted accounting principles.\n\nDuring our audit, we also found that PFM\xe2\x80\x99s audit follow-up process did not ensure that\nOffice of Inspector General (OIG) recommendations were implemented. PFM closed OIG\naudit recommendations without ensuring that bureaus actually implemented them. During\nFY2005 and FY2006, we reviewed 69 recommendations reported as implemented and\ndetermined that 18 (26 percent) had not actually been implemented.\n\nBecause of these deficiencies in DOI\xe2\x80\x99s internal control program and audit follow-up\nprocess, we concluded that DOI was not in full compliance with the Federal Managers\xe2\x80\x99\nFinancial Integrity Act and OMB Circulars A-123 and A-50, \xe2\x80\x9cAudit Followup.\xe2\x80\x9d\n\nIn its response to our draft report, management disagreed with our overall conclusion that\nDOI had not established an effective internal control program and that assurance\nstatements therefore may not be reliable. However, management agreed that the program\ncould be continually improved and cited recent steps it has taken to provide greater\noversight to the bureaus. Management concurred with all four recommendations we made\nfor improving DOI\xe2\x80\x99s internal control program. These recommendations include best\npractices we identified from other federal agencies that DOI should consider adopting to\nstrengthen its internal control program.\n\nAfter considering management's response, we stand by our conclusions on DOI's internal\ncontrol program. Our results show that the bureaus we reviewed were not effectively\nimplementing their internal control responsibilities and PFM had not taken sufficient steps\nto hold them accountable. PFM has recently taken positive steps to improve its oversight\nover the bureaus; however, PFM is in the initial stages of implementing these additional\noversight procedures.\n\n\n\n\n                                            ii\n\x0c                                              CONTENTS\n\nINTRODUCTION..................................................................................................... 1\n     AUDIT OBJECTIVE ................................................................................... 1\n     BACKGROUND ......................................................................................... 1\n\nAUDIT RESULTS.................................................................................................... 3\n     PLANNING AND PRIORITIZING INTERNAL CONTROL REVIEWS................ 4\n     CONDUCTING AND DOCUMENTING INTERNAL CONTROL REVIEWS ........ 5\n     TRACKING IMPLEMENTATION OF CORRECTIVE ACTIONS ....................... 5\n     SUPPORTING DOI\xe2\x80\x99S ANNUAL ASSURANCE STATEMENT ......................... 6\n     AUDIT FOLLOW-UP .................................................................................. 6\n     CONSEQUENCES OF WEAKNESSES IN DOI\xe2\x80\x99S INTERNAL CONTROL\n        PROGRAM........................................................................................... 8\n     BEST PRACTICES ..................................................................................... 8\n     MANAGEMENT VIEWS ............................................................................. 10\n\nRECOMMENDATIONS ..................................................................................... 12\n\nAPPENDICES\n     1\xe2\x80\x93SCOPE AND METHODOLOGY................................................................                   15\n     2\xe2\x80\x93DOI OFFICES, BUREAUS, OTHER FEDERAL AGENCIES AND\n        NON-GOVERNMENTAL ENTITIES CONTACTED ...................................                                17\n     3\xe2\x80\x93ACRONYMS AND ABBREVIATIONS ......................................................                       19\n     4\xe2\x80\x93STATUS OF AUDIT RECOMMENDATIONS .............................................                           20\n\n\n\n\n                                                        iii\n\x0c                               INTRODUCTION\n\n                               AUDIT OBJECTIVE\nThe objective of our audit was to determine whether DOI established an effective internal\ncontrol program for ensuring the effectiveness and efficiency of its operations.\nSpecifically, did DOI have adequate processes for:\n\n       program management and oversight,\n\n       planning annual internal control reviews,\n\n       conducting and monitoring internal control reviews,\n\n       implementing corrective actions,\n\n       supporting the annual assurance statements, and\n\n       audit follow-up.\n\n                                  BACKGROUND\nThe Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982 and OMB Circular A-123,\n\xe2\x80\x9cManagement\xe2\x80\x99s Responsibility for Internal Control,\xe2\x80\x9d require federal agencies to establish\nand maintain internal controls to achieve the objectives of effective and efficient\noperations, reliable financial reporting, and compliance with applicable laws and\nregulations. Annually, agency heads must provide to the President and the Congress a\nstatement of assurance representing his/her informed judgment as to the overall adequacy\nand effectiveness of internal control within the agency. Specifically, these statements\nprovide assurance that:\n\n       obligations and costs are in compliance with applicable laws;\n\n       funds, property, and other assets are safeguarded against waste, loss, unauthorized\n       use, or misappropriation; and\n\n       revenues and expenditures are properly recorded and accounted for to permit the\n       preparation of reliable financial and statistical reports.\n\nOMB revised Circular A-123 in December 2004 to include new requirements effective in\nFY2006. The revision reexamined the internal control requirements for federal agencies\nin light of the new requirements for publicly traded companies contained in the Sarbanes-\nOxley Act of 2002. That Act was passed as a response to the crisis of confidence in the\nfinancial integrity of public companies after several high profile scandals. One of the\nprimary changes in Circular A-123 was an increased focus on internal control over\n\n                                            1\n\x0cfinancial reporting. OMB added Appendix A to Circular A-123 to specifically address\ncontrols over financial reporting. Additionally, the revision required agencies to include\ntheir statement of assurance in their annual Performance Accountability Report. During\nour audit, DOI was in the process of implementing the new requirements. We focused\nour audit on the existing internal control requirements being carried forward into the\nrevised Circular A-123. We focused on requirements supporting the effectiveness and\nefficiency of operations as well as compliance with related laws and regulations.\nControls over the reliability of financial reporting and compliance with related laws and\nregulations are tested by KPMG LLP as part of DOI\xe2\x80\x99s annual financial statement audits.\n\nOMB Circular A-50, \xe2\x80\x9cAudit Followup,\xe2\x80\x9d provides requirements for federal agencies\xe2\x80\x99\nfollow-up on audits performed by Inspectors General, other executive branch audit\norganizations, the Government Accountability Office (GAO), and non-federal auditors.\nCircular A-50 requires agency heads to appoint a senior manager to serve as an audit\nfollow-up official who has personal responsibility for ensuring that:\n\n       systems of audit follow-up, resolution, and corrective action are documented and\n       in place;\n\n       timely responses are made to all audit reports;\n\n       disagreements are resolved; and\n\n       corrective actions are actually taken.\n\nThe Assistant Secretary for Policy, Management and Budget (PMB) is DOI\xe2\x80\x99s designated\naudit follow-up official and has overall responsibility for implementation and oversight\nof the internal control and audit follow-up program. PMB\xe2\x80\x99s Office of Financial\nManagement (PFM) is responsible for providing program guidance and oversight to the\nbureaus. As a result of the revision in Circular A-123, PFM revised its guidance in 2005\nby developing its new Internal Control and Audit Follow-up Handbook (Handbook). In\n2006, the Handbook was implemented although it was still in draft and had not been\nformally approved. PFM issues annual guidelines to bureaus for the internal control and\naudit follow-up programs. PFM is also responsible for the resolution of OIG and GAO\naudit report recommendations and determination that audit recommendations have been\nimplemented.\n\nSenior DOI officials and bureau directors are responsible for establishing and\nmaintaining adequate systems of internal control within their offices and bureaus. This\nresponsibility includes having procedures and systems in place to provide program\ninformation, plan and conduct internal control reviews, report program results, and\nprovide annual assurance statements to DOI\xe2\x80\x99s Secretary on the effectiveness of the\ninternal control systems.\n\n\n\n\n                                                2\n\x0c                                 AUDIT RESULTS\n\nDOI had not established an effective internal control program to ensure adequate internal\ncontrols over the effectiveness and efficiency of its operations. Although PFM developed\ncomprehensive policies and procedures for implementing DOI\xe2\x80\x99s internal control program,\nit had not provided the necessary program management and oversight to ensure that\nbureaus were complying with the guidance. Specifically, we found that the bureaus we\nreviewed did not adequately:\n\n       plan and prioritize internal control reviews,\n\n       conduct and document reviews to identify deficiencies and develop corrective\n       action plans,\n\n       track implementation of corrective actions identified from management-\n       conducted reviews, and\n\n       prepare accurate listings of reviews to support DOI\xe2\x80\x99s annual assurance statement.\n\nOur conclusions are limited to the internal control program as it relates to the\neffectiveness and efficiency of operations and compliance with related laws and\nregulations. Controls over the reliability of financial reporting and compliance with\nrelated laws and regulations are tested by KPMG LLP as part of DOI\xe2\x80\x99s annual financial\nstatement audits. During its FY2006 audit of DOI\xe2\x80\x99s financial statements, KPMG LLP\nreported similar conclusions regarding DOI\xe2\x80\x99s internal control program as it relates to\nfinancial reporting. KPMG LLP identified DOI\xe2\x80\x99s control assessment and assurance\nstatement process as a \xe2\x80\x9creportable condition,\xe2\x80\x9d or a deficiency that could adversely affect\nDOI\xe2\x80\x99s ability to record, process, summarize, and report financial data. Specifically,\nKPMG LLP concluded that while DOI established an effective plan to assess, document,\ntest and report on internal controls over financial reporting, certain DOI components did\nnot fully execute the plan. As a result, DOI did not consistently identify, document, and\ntest key financial controls; did not fully document the procedures performed to test the\ndesign and operating effectiveness of certain controls; did not consistently document its\nevaluation of the test results; and did not adequately document the population, sample\nsize or period tested. Despite the reportable condition regarding the control assessment\nand assurance statement process, KPMG LLP was able to conduct sufficient procedures\nto express an opinion that DOI\xe2\x80\x99s FY2006 financial statements were presented fairly, in all\nmaterial respects, in conformity with U.S. generally accepted accounting principles.\n\nWe also found that PFM closed OIG audit recommendations without ensuring that\nbureaus actually implemented them.\n\n\n\n\n                                             3\n\x0c                       PLANNING AND PRIORITIZING\n                       INTERNAL CONTROL REVIEWS\nWe found that the bureaus we reviewed were not following PFM\xe2\x80\x99s guidance for planning\nand prioritizing reviews. None of the four bureaus reviewed had developed program\ncomponent inventories or conducted risk assessments. Bureaus are required to maintain a\nprogram components inventory, which consists of specific program functions or activities\nthat can be prioritized for review. Risk assessments are required for all program\ncomponents to evaluate the susceptibility to waste, loss, unauthorized use, and/or\nmisappropriation. How an agency assesses, monitors, and manages risk are critical\nelements of any good internal control program.\n\nMany bureau officials we interviewed were not aware of these requirements. Specifically:\n\n       A Bureau of Indian Affairs (BIA) headquarters official stated that BIA\n       headquarters does not maintain any inventory of program components but that the\n       regional offices may have prepared them. We visited the Southwest Regional\n       Office and found it had neither prepared a program component inventory nor\n       performed any risk assessments.\n\n       A Bureau of Land Management (BLM) official stated that BLM does not\n       maintain a program component inventory. BLM officials acknowledged they\n       were aware that risk assessments were required; however, they had not conducted\n       any assessments other than the OMB-required improper payments risk\n       assessment. BLM officials stated they planned to perform risk assessments in the\n       future.\n\n       Bureau of Reclamation (BOR) officials stated that program personnel identify\n       components but they do not compile them into an inventory. They also stated\n       that no formal risk assessments are conducted.\n\n       National Park Service (NPS) officials stated that they use budget line items as\n       their inventory of components. However, they could provide no evidence the\n       line items were used for planning reviews or conducting risk assessments.\n\nDOI\xe2\x80\x99s Handbook requires bureaus to prepare and submit annual internal control review\nplans that should provide a sufficient basis for the bureaus\xe2\x80\x99 annual assurance statements.\nThe plans should include a prioritized schedule of reviews to be performed on specific\nprogram components based on their annual risk assessments. PFM approved the bureaus\xe2\x80\x99\nannual internal control review plans without ensuring the bureaus complied with the\nrequirements to prepare program component inventories and conduct risk assessments.\n\n\n\n\n                                            4\n\x0c                     CONDUCTING AND DOCUMENTING\n                      INTERNAL CONTROL REVIEWS\nThe bureaus we reviewed often did not conduct and document their internal control\nreviews in compliance with DOI internal control and audit follow-up guidance. DOI\xe2\x80\x99s\nHandbook requires bureaus to summarize internal control review results in a report,\nretain supporting documentation for independent review, and prepare corrective action\nplans that identify target dates and responsible officials. The Handbook also requires\nbureaus to track and document the status of all audit resolution determinations.\n\nDuring our site visits, we analyzed 63 internal control review files that were identified on\nthe bureaus\xe2\x80\x99 annual assurance statements and interviewed bureau officials who performed\nthe reviews. Based on this work, we identified the following deficiencies in the files:\n\n       11 (17 percent) contained no report of the review\xe2\x80\x99s findings.\n\n       25 (40 percent) contained no documentation supporting the review conducted.\n\n       28 (44 percent) contained no corrective action plan.\n\n       44 (70 percent) identified no target dates for action plans.\n\n       44 (70 percent) identified no responsible official.\n\n       48 (76 percent) contained no documented status or resolution determination.\n\nWe found that bureau officials either did not plan or conduct internal control reviews to\ncomply with the Departmental guidance or were unaware of the documentation\nrequirements in the guidance.\n\n                        TRACKING IMPLEMENTATION\n                         OF CORRECTIVE ACTIONS\n\nCorrective action tracking systems are necessary to ensure that recommended corrective\nactions are actually taken. PFM tracks corrective actions for OIG and GAO reports but\ndoes not track corrective actions for management-conducted reviews. We found that\nnone of the bureaus we reviewed had adequate tracking systems for corrective actions\nrecommended in management-conducted reviews. Without a formal tracking system,\nthere are no controls to ensure that corrective actions are actually implemented.\n\nTwo bureaus did track some of their internal control reviews. BLM tracked all\nrecommendations from General Management Evaluations performed by its Division of\nEvaluations and Management Services and BOR tracked recommendations on reviews\nappearing on its annual plan. However, neither of these bureaus had comprehensive\ntracking systems for all reviews supporting their annual statements of assurance.\n\n\n                                             5\n\x0c                          SUPPORTING DOI\xe2\x80\x99S\n                     ANNUAL ASSURANCE STATEMENT\nThe bureaus\xe2\x80\x99 annual assurance statements we reviewed were based on inaccurate or\nmisleading listings of completed internal control reviews. Therefore, these statements\nmay not have been adequate to support the DOI\xe2\x80\x99s Annual Assurance Statement. DOI\xe2\x80\x99s\nHandbook requires that bureau statements be supported with lists of internal control\nreviews they conducted. The lists we reviewed were misleading because they:\n\n       included reviews that were either not performed or not completed;\n\n       included the same review more than once; and\n\n       incorrectly identified status reports, financial statement information, and other\n       activities as internal control reviews.\n\nFor example:\n\n       BOR\xe2\x80\x99s FY2005 Annual Assurance Statement was supported by a list that\n       identified 223 internal control reviews; however, only 33 of these were identified\n       as complete. The remaining 190 reviews included reviews that were identified as\n       still ongoing or were not clearly classified.\n\n       NPS\xe2\x80\x99s FY2005 Annual Assurance Statement was supported by a list that\n       identified 1,155 internal control reviews. The list did not identify review\n       locations, responsible officials, and specific dates when reviews were completed.\n       Some reviews were listed more than once, and 189 reviews were identified as not\n       completed.\n\n       BLM\xe2\x80\x99s FY2005 annual review plan identified 70 internal control reviews. We\n       reviewed the FY2005 annual assurance statement and found that only 10 of these\n       reviews were reported as completed. There was no evidence that BLM reassessed\n       its review plans to determine if the 10 completed reviews provided sufficient\n       support for the annual assurance statement.\n\n       At BIA\xe2\x80\x99s Southern Pueblos Agency, we analyzed seven internal control reviews\n       listed as support for the Education Line Officer's FY2005 annual assurance\n       statement. We found that portions of one review included on the annual\n       assurance statement were counted separately as two additional reviews and\n       another review listed was not completed.\n\n                               AUDIT FOLLOW-UP\nWe found that DOI did not have reasonable assurance that corrective actions were\nimplemented to remedy deficiencies identified in OIG reports. As a result, audit\nrecommendations had been closed without implementation, and the underlying\ndeficiencies addressed in the OIG recommendations may still exist.\n\n                                             6\n\x0cWe reviewed nine PFM audit follow-up files and determined that PFM did not\nadequately conduct and document its evaluations of bureau actions taken to implement\naudit recommendations. Generally, we found that the PFM files were not well organized,\nPFM analysts did not include documentation of their assessments and conclusions, and it\nwas difficult to locate or identify the documentation used to close specific\nrecommendations. We found that PFM officials and audit follow-up analysts were\nunaware of or misinterpreted the guidance for classifying audit recommendations as\nresolved and implemented. Specifically, we found:\n\n       None of the nine files contained documented analyses which summarized or\n       supported the analysts\xe2\x80\x99 reviews, conclusions, and opinions that corrective actions\n       were sufficient to consider the recommendations resolved and implemented. In\n       one case, a PFM analyst provided a bureau instruction memorandum to justify the\n       classification of a recommendation as implemented. However, there was no\n       evidence in the file that the analyst had reviewed the memorandum and concluded\n       that the memorandum adequately addressed the recommendation. We concluded\n       that issuance of this memorandum did not implement the recommendation.\n\n       Six of the nine files did not contain adequate documentation from the bureaus or\n       any other source to support closure of the recommendations. For example, one\n       recommendation was classified as resolved and implemented based on a verbal\n       promise from a bureau to provide supporting documentation; however, the\n       documentation was not subsequently provided. Another recommendation was\n       erroneously classified as resolved and implemented. As a result of our review, a\n       PFM official agreed to reclassify the recommendation.\n\n       Five of the nine files did not contain documented decisions and notifications to\n       appropriate DOI and bureau officials that recommendations had been formally\n       classified as resolved and implemented.\n\n       None of the nine files contained evidence that PFM was conducting supervisory\n       reviews to ensure the audit follow-up files contained appropriate documentation\n       to support audit resolution decisions.\n\nAudit follow-up files should be sufficiently organized and documented to allow an\nindependent reviewer to conclude that corrective actions were sufficient to consider the\nrecommendations resolved and implemented.\n\nIn FY2005 and FY2006, OIG conducted verification reviews of selected\nrecommendations reported as implemented and found similar problems. For example:\n\n       During FY2005, OIG completed verification reviews of 20 recommendations\n       reported as implemented and found that 4 (20 percent) had not actually been\n       implemented.\n\n\n\n\n                                            7\n\x0c       During FY2006, OIG completed verification reviews of 49 recommendations\n       reported as implemented and found that 14 (29 percent) had not actually been\n       implemented.\n\nCircular A-50 provides the requirements for establishing systems to assure prompt and\nproper resolution and implementation of audit recommendations. In addition, PFM\nprepared DOI\xe2\x80\x99s Handbook which includes policies and procedures for audit follow-up.\nWhile we believe DOI\xe2\x80\x99s handbook procedures provide valuable guidance, our audit\nresults demonstrate that the guidance was not being followed by PFM or the bureaus.\nSpecifically, the bureaus were not providing adequate documentation on the\nimplementation of OIG recommendations and PFM was closing recommendations\nwithout sufficient documentation.\n\n               CONSEQUENCES OF WEAKNESSES IN DOI\xe2\x80\x99S\n                   INTERNAL CONTROL PROGRAM\nWeaknesses in the oversight of the internal control program, as they relate to the\neffectiveness and efficiency of operations, increase the risk that DOI\xe2\x80\x99s internal controls\ncannot ensure:\n\n       programs achieve their intended results;\n\n       funds used are consistent with DOI\xe2\x80\x99s mission; and\n\n       resources are protected from waste, fraud, and mismanagement.\n\nBecause of the weaknesses we identified in DOI\xe2\x80\x99s internal control program, we\nconcluded that DOI was not in full compliance with the Federal Managers\xe2\x80\x99 Financial\nIntegrity Act and Circulars A-123 and A-50. Additionally, we concluded that DOI\xe2\x80\x99s\ninternal control program did not ensure that the bureaus\xe2\x80\x99 annual assurance statements on\ninternal control were reliable. Therefore, these bureau level assurances may not have\nprovided adequate support for the Secretary\xe2\x80\x99s certification of DOI\xe2\x80\x99s annual statement of\nassurance.\n\n\n                                 BEST PRACTICES\nWe identified several best practices used by other federal agencies and DOI bureaus for\nmanaging their internal control programs. If adopted by DOI, these practices could\nstrengthen DOI\xe2\x80\x99s internal control program.\n\nAssurance Statements from Program Managers\n\nThe General Services Administration (GSA) requires all program managers at the GS-15\nlevel and above to sign an annual assurance statement on internal controls within their\nprograms. The GS-15 managers have the option to require signed assurance statements\n\n\n                                             8\n\x0cfrom their subordinate managers at the GS-14 level. Program managers are directly\nresponsible for their programs and have the most direct and detailed knowledge of the\ndesign and execution of internal controls.\n\nDOI guidance only requires bureau directors and program assistant secretaries to sign\nannual assurance statements to certify the adequacy of internal controls. Although not\nrequired by Department policy, BIA and NPS require their regional directors to provide\nassurance statements. Adopting the best practice of certifying annual assurance\nstatements at the program level would help to establish greater accountability for DOI\nmanagers and could be used to support assurance statements from more senior\nexecutives.\n\nAnnual Assurance Questionnaires\n\nIn addition to signing assurance statements, GSA program managers are required to\nrespond to an annual assurance questionnaire that provides detailed information on their\nprogram\xe2\x80\x99s compliance with internal control requirements. The questionnaire is\ncompleted electronically using web technology and addresses key standards for internal\ncontrol. The manager must answer specific questions related to the following internal\ncontrol aspects:\n\n       Control Environment\n       Risk Assessment\n       Control Activities\n       Information and Communication\n       Monitoring\n\nIn addition to the general questionnaire required of all managers, GSA also provides topic\nspecific questionnaires for managers in certain areas such as technology procurement,\nbuilding management, and information technology.\n\nAdopting this best practice would allow DOI to better document the controls in place for\neach program. Questionnaires would help identify areas requiring additional controls and\ncould be used to hold program managers responsible for the existence of internal controls\nin their program areas.\n\nGreater Visibility for Internal Control Program\n\nBoth GSA and the Department of Education have developed executive level guidance on\ninternal control requirements that are provided to senior leaders within their\norganizations. The guidance creates greater visibility for the internal control program\nand provides senior management with a synopsis of key requirements for controls within\ntheir organizations.\n\nGSA provides a 20-page executive guide on internal controls to its senior leaders. The\nguide provides highlights of key requirements found in laws and regulations such as the\nFederal Managers\xe2\x80\x99 Financial Integrity Act; the Federal Financial Management\nImprovement Act; the Federal Information Security Management Act; Circular A-123,\n\n                                            9\n\x0cand Circular A-127, \xe2\x80\x9cFinancial Management Systems.\xe2\x80\x9d It also summarizes the internal\ncontrol process at GSA. The guide provides a comprehensive view of internal control\nrequirements for senior executives in a short, readable format.\n\nThe Department of Education has created a \xe2\x80\x9cList of Guiding Factors\xe2\x80\x9d that highlights\nmajor components of internal control as documented in GAO\xe2\x80\x99s \xe2\x80\x9cStandards for Internal\nControl in the Federal Government.\xe2\x80\x9d We were informed that each Assistant Secretary\nwithin the Department of Education was required to discuss the guiding factors with their\nmanagement and then sign the list. Requiring that Assistant Secretaries address these\nissues with their managers helps create an environment that stresses the importance of\ninternal controls within the organization.\n\nAdopting these best practices would provide senior managers with the high level internal\ncontrol information they need and would help create a greater sense of management\naccountability.\n\nBLM\xe2\x80\x99s Division of Evaluations and Management Services\n\nBLM created the Division of Evaluations and Management Services, which conducts a\nlimited number of comprehensive internal control reviews for the bureau and provides\ntraining to its field offices. Many of the Division\xe2\x80\x99s 17 full-time analysts have specialized\nexperience and advanced degrees in fields such as management, administration, and\nnatural resources. Through their reviews, the Division provides advice to managers on\nimproving business practices and organizational effectiveness. Adopting the best\npractice of utilizing specialized personnel to conduct internal control reviews and provide\ntraining could improve the internal control program at other bureaus.\n\n\n                             MANAGEMENT VIEWS\nWhile PFM agreed that the internal control program can be continually improved, it\ndisagreed with our overall conclusions regarding DOI\xe2\x80\x99s existing internal control program.\nSpecifically, PFM stated that it has fully complied with Circular A-123 and insists that\nDOI\xe2\x80\x99s internal control program does ensure the bureaus\xe2\x80\x99 annual assurance statements are\nreliable and provide adequate support for the Secretary\xe2\x80\x99s annual assurance statement.\nManagement indicated that it has taken a number of new steps to improve the internal\ncontrol processes during FY2005 and FY2006. Specifically, PFM:\n\n   \xe2\x80\xa2   Required identification of assessable component inventories and risk assessments\n       for those components.\n\n   \xe2\x80\xa2   Required that a three year internal control review plan be developed tied to risk\n       assessments.\n\n   \xe2\x80\xa2   Prepared a checklist for upcoming site visits to bureaus to exercise oversight.\n\n   \xe2\x80\xa2   Highlighted OIG recommendations during meetings with senior management.\n\n\n                                            10\n\x0c   \xe2\x80\xa2   Initiated a monthly work group of bureau audit liaison officers and internal\n       control coordinators to address the entire spectrum of internal control issues and\n       processes.\n\n   \xe2\x80\xa2   Conducted a review of 400 audit recommendations closed in FY2006 and\n       determined that more than 75 percent of the time adequate documentation was\n       available in PFM files. In most other cases the documentation was available at\n       the bureau. Fewer than 10 recommendations were reopened due to lack of\n       adequate closure documentation.\n\nAfter considering management\xe2\x80\x99s response, we stand by our conclusions on the\nDepartment\xe2\x80\x99s internal control program. Our audit results clearly show that the bureaus\nwe reviewed were not effectively implementing their internal control program\nresponsibilities and PFM had not taken sufficient steps to hold them accountable. The\nassurance statements we reviewed were not adequately supported. They included lists of\nreviews that were not completed and other activities, such as meetings, without\nexplaining how these activities supported the statement of assurance. Additionally, none\nof the bureaus we reviewed had adequate processes for inventorying components,\nperforming risk assessments, documenting internal control reviews, or tracking\nimplementation of corrective actions on management-conducted reviews. Despite PFM\xe2\x80\x99s\nassertion to the contrary, the results of our audit demonstrated that DOI:\n\n       had not implemented an effective internal control program,\n\n       had not adequately supported annual statements of assurance, and\n\n       was not in full compliance with the Federal Managers\xe2\x80\x99 Financial Integrity Act and\n       Circulars A-123 and A-50.\n\nWe performed additional procedures to evaluate the new processes that PFM cited in its\nresponse to the draft report. We found that while PFM had developed additional\nguidance and oversight procedures, PFM was still in the initial stages of their\nimplementation. For example, PFM developed a checklist to evaluate bureau internal\ncontrol programs and it had begun scheduling site visits to bureaus to implement the\nchecklist. However, as of the date of its response, PFM had not yet conducted any site\nvisits and therefore, could not ensure that the bureaus have complied with the additional\nguidance.\n\n\n\n\n                                            11\n\x0c                           RECOMMENDATIONS\n\nWe recommend that the Assistant Secretary for Policy, Management and Budget:\n\n   1. Direct PFM to develop and implement additional oversight procedures that ensure\n      the bureaus are adequately implementing their internal control programs. These\n      procedures should ensure that bureaus adequately plan and prioritize internal\n      control reviews, adequately conduct and document those reviews, and provide\n      accurate lists of internal control reviews to support their annual assurance\n      statements.\n\n      DOI Response\n\n      DOI concurred with the recommendation and stated that PFM has increased the\n      level of oversight and involvement in the end-to-end process for internal controls.\n      For example, PFM has issued additional guidance requiring bureaus to identify\n      component inventories, conduct comprehensive risk assessments, and establish\n      three year internal control review plans based on those assessments. Additionally,\n      PFM has developed review guides and plans to conduct field visits to review the\n      adequacy of bureau efforts.\n\n      OIG Analysis of DOI Response\n\n      PFM has taken recent steps to implement additional oversight procedures, but has\n      not yet completed sufficient oversight to ensure that bureaus are currently\n      complying with its guidance.\n\n   2. Require bureaus to develop and implement tracking systems to monitor:\n\n             All internal control reviews planned, in progress, or completed and\n\n             The status of identified deficiencies and corresponding corrective actions.\n\n      DOI Response\n\n      DOI concurred with the recommendation; however, the response stated that\n      bureaus already have systems to monitor internal control reviews including\n      Corrective Action Tracking System reports. Discrepancies resulting from internal\n      control reviews are to be recorded in a corrective action plan identifying the\n      originating source, responsible manager, system, audit finding, risk level,\n      corrective action, target milestone dates, and overall status. The response stated\n      that PFM will modify the process to collect and store closure documentation\n      within PFM and not rely on bureaus to be the sole source of this data.\n\n\n\n                                          12\n\x0c   OIG Analysis of DOI Response\n\n   While bureaus do track corrective actions for audit recommendations, we found\n   that the bureaus we reviewed did not track corrective actions for management-\n   conducted reviews. In implementing this recommendation, PFM will need to\n   ensure that bureaus expand their corrective action tracking to include actions\n   identified in management-conducted reviews.\n\n3. Direct PFM to develop and implement additional oversight procedures for the\n   audit follow-up process. These procedures should require PFM analysts to\n   adequately document the bases for their conclusions that recommendations are\n   resolved and implemented and should require supervisory review of that\n   documentation.\n\n   DOI Response\n\n   DOI concurred with the recommendation and stated that it made changes to\n   improve the audit follow-up process. Specifically, PFM has stressed the need for\n   adequate documentation and timely closure of audit recommendations. PFM will\n   also maintain documentation to support audit recommendation resolutions rather\n   than rely on the Bureaus to supply these documents.\n\n   OIG Analysis of DOI Response\n\n   The actions taken by PFM are a step in the right direction. However, additional\n   steps are necessary to strengthen the oversight process. PFM should develop\n   procedures requiring analysts to adequately document the bases for their\n   conclusions that recommendations are resolved and implemented and to require\n   supervisory review of that documentation.\n\n4. Consider implementing the following best practices, where appropriate:\n\n          Requiring all regional and state directors and program managers to\n          provide annual assurance statements.\n\n          Requiring all program managers to complete annual assurance\n          questionnaires.\n\n          Promoting greater visibility for the internal control program by developing\n          executive guides and requiring bureau and office heads to address these\n          issues with their management teams.\n\n          Developing a staff that specializes in conducting internal control reviews\n          and providing related training.\n\n\n\n\n                                       13\n\x0cDOI Response\n\nDOI concurred with the recommendation and is implementing the first two best\npractices identified in the report. These include requiring regional and state\ndirectors to provide annual assurance statements and requiring program managers\nto complete annual assurance questionnaires.\n\nOIG Analysis of DOI Response\n\nWe encourage DOI to consider implementation of the remaining two identified\nbest practices.\n\n\n\n\n                                   14\n\x0c                                                                                Appendix 1\n\n\n                     SCOPE AND METHODOLOGY\nOur audit included a review of DOI\xe2\x80\x99s oversight of internal control programs, including\nthe internal control processes at BIA, BLM, BOR, and NPS. We also reviewed DOI\xe2\x80\x99s\naudit follow-up program for OIG audits. DOI was implementing new internal control\nguidance as a result of revisions to Circular A-123. DOI requested that we delay our\naudit until after the new requirements were implemented. We decided to continue with\nthe audit, but we defined our audit scope to include only those internal control\nrequirements already in existence and being carried forward into the revised Circular A-\n123. We focused on requirements supporting the effectiveness and efficiency of\noperations as well as compliance with related laws and regulations. We excluded\ncontrols over the reliability of financial reporting and compliance with related laws and\nregulations which are tested by KPMG LLP as part of DOI\xe2\x80\x99s annual financial statement\naudits.\n\nTo accomplish our objective, we:\n\n       Reviewed the laws and regulations that prescribe the requirements for internal\n       control programs at federal agencies. This included the Federal Managers\xe2\x80\x99\n       Financial Integrity Act, Circulars A-123 and A-50, DOI\xe2\x80\x99s Departmental Manual,\n       DOI\xe2\x80\x99s Internal Control and Audit Follow-up Handbook, and DOI\xe2\x80\x99s annual\n       internal control and audit follow-up guidelines.\n\n       Conducted site visits and interviewed officials from DOI and its bureaus, other\n       federal agencies, and non-governmental entities.\n\n       Reviewed a judgmental sample of 63 internal control reviews that were used to\n       support the bureaus\xe2\x80\x99 Annual Assurance Statements to determine compliance with\n       OMB Circular A-123 and DOI\xe2\x80\x99s Handbook. The Annual Assurance Statements\n       did not clearly identify all reviews that were used to support the certification. In\n       many cases, internal control reviews could only be identified and reviewed at the\n       field level. Therefore, we conducted site visits at nine field locations where we\n       selected our sample items. Because we did not select a statistical sample, the\n       deficiencies we identified cannot be projected to the entire population of reviews.\n       However, the results of our work support our conclusion that bureaus reviewed\n       often did not conduct these reviews in accordance with PFM requirements.\n\n       Judgmentally selected a sample of 9 closed recommendations from a list of 135\n       OIG performance audit recommendations that were closed between October 2003\n       and January 2006. We reviewed these recommendations to determine whether\n       PFM had accurately concluded from bureau information provided that each\n       recommendation had been resolved and implemented. Because we did not select\n       a statistical sample, the deficiencies we identified cannot be projected to the entire\n\n                                            15\n\x0c       population of reviews. Our conclusions on PFM\xe2\x80\x99s audit follow-up process are\n       supported by the results from our sample, our previous verification reviews on 69\n       recommendations, and interviews with PFM analysts.\n\nWe determined that neither OIG nor GAO had performed an audit specific to the\nmanagement of DOI\xe2\x80\x99s internal control program in the last 5 years. The accounting firm\nKPMG annually reviews and reports on DOI\xe2\x80\x99s financial operations. As part of these\nreviews, KPMG tests DOI\xe2\x80\x99s and bureaus\xe2\x80\x99 internal controls for purposes of financial\nreporting.\n\nWe conducted our audit from December 2005 through April 2007 in accordance with the\nGovernment Auditing Standards, issued by the Comptroller General of the United States.\nAccordingly, we included such tests of records and other auditing procedures considered\nnecessary under the circumstances.\n\n\n\n\n                                          16\n\x0c                                                                      Appendix 2\n\nDOI OFFICES, BUREAUS, OTHER FEDERAL AGENCIES\n AND NON-GOVERNMENTAL ENTITIES CONTACTED\nU.S. Department of the Interior\nOffice of the Secretary\n     Office of Financial Management                      Washington, DC\n     Office of the Chief Information Officer             Washington, DC\n     Office of the Assistant Secretary- Indian Affairs   Reston, VA\n     (Office of Audit and Evaluation)\nBureau of Indian Affairs\n     Southwest Region Office                             Albuquerque, NM\n     Office of Indian Education Programs (Southern       Albuquerque, NM\n     Pueblos Agency)\nBureau of Land Management\n     Alaska State Office                                 Anchorage, AK*\n     Arizona State Office                                Phoenix, AZ*\n     California State Office                             Sacramento, CA*\n     Colorado State Office                               Lakewood, CO\n     Division of Evaluation & Management Services        Washington, DC\n     Idaho State Office                                  Boise, ID*\n     Montana State Office                                Billings, MT*\n     National Business Center (NBC)                      Denver, CO\n     National Interagency Fire Center                    Boise, ID*\n     Nevada State Office                                 Reno, NV*\n     New Mexico State Office                             Santa Fe, NM*\n     Oregon/Washington State Office                      Portland, OR*\n     Utah State Office                                   Salt Lake City, UT*\n     Wyoming State Office                                Cheyenne, WY*\nBureau of Reclamation\n     Denver Office                                       Denver, CO\n     Pacific Northwest Region                            Boise, ID*\nFish and Wildlife Services\n     Policy and Directives Management                    Arlington, VA\nMinerals Management Service\n     Directorate of Policy and Management                Washington, DC\n     Improvement\nNational Park Service\n     Catoctin Mountain Park                              Thurmont, MD*\n     Chesapeake and Ohio Canal                           Hagerstown, MD\n     Comptroller's Office                                Washington, DC\n     George Washington Memorial Parkway                  Memorial Parkway, VA*\n     Manassas Battlefield National Park                  Manassas, VA\n     National Capital Region Offices                     Washington, DC\n     National Mall and Memorial Parks                    Washington, DC*\n     Prince William Forest National Park                 Triangle, VA\n\n* Offices contacted without a site visit.\n                                            17\n\x0cOffice of Surface Mining                        Washington, DC\nU.S. Geological Survey                          Reston, VA\nGeneral Services Administration\n     Chief Financial Officer                    Washington, DC\nGovernment Accountability Office\n     Director, Consolidated Audits              Washington, DC*\nOffice of Management and Budget                 Washington, DC*\nSocial Security Administration\n     Director, Policy and Standards             Baltimore, MD*\nU.S. Department of Education\n     Chief Financial Officer                    Washington, DC*\nKPMG                                            Denver, CO\n\n\n\n\n* Offices contacted without a site visit\n\n                                           18\n\x0c                                                               Appendix 3\n\n\n         ACRONYMS AND ABBREVIATIONS\nBIA              Bureau of Indian Affairs\nBLM              Bureau of Land Management\nBOR              Bureau of Reclamation\nDepartment       Department of the Interior\nDOI              Department of the Interior\nGAO              Government Accountability Office\nGSA              General Services Administration\nHandbook         Internal Control and Audit Follow-up Handbook\nNPS              National Park Service\nOIG              Office of Inspector General\nOMB              Office of Management and Budget\nPCIE             President\xe2\x80\x99s Council on Integrity and Efficiency\nPFM              Office of Financial Management\nPMB              Office of Policy, Management and Budget\nIT               Information Technology\n\n\n\n\n                              19\n\x0c                                                              Appendix 4\n\n\n   STATUS OF AUDIT RECOMMENDATIONS\n\n\n\n\nRecommendations            Status               Action Required\n\n       1                 Unresolved        PFM should provide additional\n                                           information on actions taken or\n                  Management concurred;    planned, including target dates\n                  additional information   and titles of officials\n                  needed                   responsible for implementation.\n\n       2                 Unresolved        PFM should provide additional\n                                           information on actions taken or\n                  Management concurred;    planned, including target dates\n                  additional information   and titles of officials\n                  needed                   responsible for implementation.\n\n       3                 Unresolved        PFM should provide additional\n                                           information on actions taken or\n                  Management concurred;    planned, including target dates\n                  additional information   and titles of officials\n                  needed                   responsible for implementation.\n\n       4                 Unresolved        PFM should reconsider\n                                           implementation of the\n                  Management concurred;    remaining two best practices\n                  additional information   and provide additional\n                  needed                   information on actions taken or\n                                           planned, including target dates\n                                           and titles of officials\n                                           responsible for implementation.\n\n\n\n\n                                20\n\x0c  Report Fraud, Waste, Abuse,\n     and Mismanagement\n          Fraud, waste, and abuse in government\n          concerns everyone: Office of Inspector\n          General staff, Departmental employees,\n            and the general public. We actively\n          solicit allegations of any inefficient and\n            wasteful practices, fraud, and abuse\n          related to Departmental or Insular Area\n         programs and operations. You can report\n              allegations to us in several ways.\n\n\n\n\nBy Mail:          U.S. Department of the Interior\n                  Office of Inspector General\n                  Mail Stop 5341 MIB\n                  1849 C Street, NW\n                  Washington, D.C. 20240\n\nBy Phone          24-Hour Toll Free               800-424-5081\n                  Washington Metro Area           703-487-5435\n\nBy Fax            703-487-5402\n\nBy Internet       www.doioig.gov/hotline\n\x0c"